| 1 |
On Mon, May 11, 2015 at 12:09:08PM +0200, Niels Dettenbach wrote: |
| 2 |
> > As past long-standing practice, @Gentoo.org system-level mail handling for |
| 3 |
> > incoming mail was officially to tag everything, and delete nothing. |
| 4 |
> This is - for a public internet Mailer / MX - a VERY bad option - at least |
| 5 |
> mail not fulfilling basic email standards should be blocked (as usual by the |
| 6 |
> very most professional level mail services), because it could be (used) |
| 7 |
> abusive by thirds. |
| 8 |
There are people that still accept mail that violates standards? |
| 9 |
My above statement is for mail that we ACCEPTED. If it violates |
| 10 |
standards, it's already denied at SMTP time. |
| 11 |
|
| 12 |
smtpd_restriction_classes = restrictive,permissive |
| 13 |
restrictive = |
| 14 |
reject_invalid_hostname |
| 15 |
reject_non_fqdn_hostname |
| 16 |
reject_non_fqdn_recipient |
| 17 |
reject_non_fqdn_sender |
| 18 |
reject_unknown_sender_domain |
| 19 |
reject_unknown_recipient_domain |
| 20 |
check_sender_mx_access cidr:/etc/postfix/bogus_mx_records |
| 21 |
check_sender_access pcre:/etc/postfix/sender_access_control.pcre |
| 22 |
check_sender_access pcre:/etc/postfix/sender_access_control-aliases.pcre |
| 23 |
check_helo_access pcre:/etc/postfix/helo_checks |
| 24 |
reject_unverified_sender |
| 25 |
check_client_access cidr:/etc/postfix/filter.cidr |
| 26 |
permit |
| 27 |
permissive = |
| 28 |
permit |
| 29 |
|
| 30 |
> > Unless there are any major objections, as of May 17th, Infra will start |
| 31 |
> > dropping mail that scores more than 10.0 points in Spamassassin. |
| 32 |
> > |
| 33 |
> > If that is successful, I propose to drop the score point by 1 point every |
| 34 |
> > month until it hits a score of 5.0 (so by mid-October, it will be dropping |
| 35 |
> > mail that scores more than 5.0). |
| 36 |
> This will work (depending form some of your SA setup details and how far you |
| 37 |
> use all of the features, channels and possible extensions / third party |
| 38 |
> services - i.e. DCC, Razor, Pyzor, "all" the different update channels, Bayes |
| 39 |
> - while disabling DNSBLs and doing that still before in your mailer) until you |
| 40 |
> go down 5. |
| 41 |
See my other response, we've got pretty much all of the things going already. |
| 42 |
|
| 43 |
-- |
| 44 |
Robin Hugh Johnson |
| 45 |
Gentoo Linux: Developer, Infrastructure Lead |
| 46 |
E-Mail : robbat2@g.o |
| 47 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
Archives